1 / 25

S6C12 - AAA

S6C12 - AAA. AAA Facts. AAA Defined. Authentication, Authorization, and Accounting Central Management of AAA Information in a single, centralized, secure database Easier to administer Permits access control from a central database

macha
Download Presentation

S6C12 - AAA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. S6C12 - AAA AAA Facts

  2. AAA Defined • Authentication, Authorization, and Accounting • Central Management of AAA • Information in a single, centralized, secure database • Easier to administer • Permits access control from a central database • Access server, and network access server (NAS), refer to a router connected to the "edge" of a network. • This router allows outside users to access the network

  3. Authentication • Authentication asks the question, "Who are • you?" • Determines who user is • Determines if user should be allowed access • Bars intruders from networks • May use simple database of users and passwords • Can use one-time passwords

  4. Why Use AAA for Authentication? • AAA provides scalability. • Supports standardized security protocols, namely Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), and Kerberos • Allows you to configure multiple backup systems. • For example, you can configure an access server to consult a security server first and a local database second

  5. Authorization • Asks the question, "What privileges do you have?" • Determines what user is allowed to do • Network managers can limit which network services are available to each user • Limits commands a new network administrator may issue on corporate NAS or routers

  6. Accounting • Asks the questions, "What did you do and when did you do it?" • Tracks what user did and when they did it • Can be used as audit trail • Can be used for billing connection time or resources used

  7. TACACS+ • PROTOCOL • Designed to allow effective communications of AAA information between NAS and central server • Uses TCP for reliable connections between client and servers • NAS sends authentication and authorization requests & accounting information to TACACS+ server • Shifts logic and policy to database and server software – moves it from Cisco IOS • Provides centralized validation of users attempting to gain access to a router or network access server

  8. RADIUS • Developed by Livingston Enterprises, Inc. • Secures remote access to networks and network services against unauthorized access • Protocol with frame format; utilizes UDP/IP • A Server • Authenticates, authorizes, accounts • Runs on customer site • A Client • Resides in dial-up access servers • Distributed throughout network

  9. Kerberos • A secret-key network authentication protocol used with AAA that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication • Designed to authenticate requests for network resources. • Based on the concept of a trusted third party that performs secure verification of users and services. • a trusted Kerberos server issues tickets to users • can be used in place of the standard username and password authentication mechanism

  10. How RADIUS Client/Server Works • NAS operates as client of RADIUS • Client passes user information to designated RADIUS server • RADIUS server receives request, authenticates and returns necessary configuration • RADIUS server can act as proxy client for other kinds of authentication servers

  11. RADIUS and Network Security • Transactions authenticated through use of shared secret (never sent over network) • User passwords are encrypted between client and RADIUS server • Supports a variety of methods to authenticate user • PAP, CHAP, UNIX, et. Al.

  12. Cisco Access Secure Server • Specialized security software that runs on Windows NT/2000 and Unix • simplifies and centralizes control for all user authentication, authorization, and accounting • can distribute the AAA information to hundreds or even thousands of access points in a network • uses either the TACACS+ or the RADIUS protocol to provide this network security and tracking • also acts as a central repository for accounting information

  13. Configuring AAA • Enable AAA • AAA new-model • Tell NAS where to locate the server • Tacacs-server host ip-address • Tacacs-server host ip-address 2 • Two servers provide redundancy • Set encryption key • Tacacs-server key key • Tell which TACACS+ features to use • Next Slide

  14. Configuration Process • follow a three-step process for each AAA authentication command, as shown in • Specify the authentication type (login, enable, PPP, etc.). • Specify the method list as default or give it a name. • List the authentication methods to be tried, in order. • Router(config)#AAA authentication ppp {default | list-name} method1 [...[method4]

  15. Authentication • Authentication provides the method of identifying users including: • login and password dialog • challenge and response • messaging support • AAA authentication can be used to configure all of these configuration types • Access to privileged EXEC mode (enable mode) • Access to virtual terminals • Access to the console CHAP and PAP authentication for PPP connections • NetWare Asynchronous Services Interface (NASI) authentication • AppleTalk Remote Access Protocol (ARAP) authentication

  16. Authentication Methods • Using a password already configured on the router, such as the enable password or a line password • Using the local username/password database • Consulting a Kerberos server • Consulting a RADIUS server, or group of RADIUS servers • Consulting a TACACS+ server or group of TACACS+ servers

  17. Sample TACACS+ Features • AAA authentication login default tacacs+ line none • AAA authentication login admin_only tacacs_ enable none • AAA authentication login old_way line none • You just created three login lists named default, admin_only and old_way

  18. Four Methods

  19. Error Not same as failure (server could be unreachable) • Line con0 • Login authentication admin_only • Line aux 0 • Login authentication admin_only • Line vty 0 4 • Login authentication old_way • Line 1 16 • Login authentication default

  20. Sample Code • AAA authorization network tacacs+ none • AAA authorization connection tacacs+ if-authenticated • AAA authorization command 1 tacacs+ server if-authenticated • AAA authorization command 15 tacacs+ if-authenticated • NOTE – can’t configure router until you become authenticated

  21. Eight Authorization Methods • Authentication proxy services • Commands • Configuration Commands - Using no AAA authorization • EXEC • Network services • Reverse Telnet access • Configuration • ip Mobile

  22. Configuring AAA Authorization • Enable AAA using the AAA new-model command. • Configure AAA authentication. Authorization generally takes place after authentication and relies on authentication to work properly. • Configure the router as a TACACS+ or RADIUS client, if necessary. • Configure the local username/password database, if necessary. Using the username command, you can define the rights associated with specific users.

  23. Privilege Levels • privilege level 1 = non-privileged (prompt is router>), the default level for login • privilege level 15 = privileged (prompt is router#), the level after going into enable mode • privilege level 0 = includes 5 commands: disable, enable, exit, help, and logout

  24. AAA supports six differenttypes of accounting: • Network • Exec • Commands • Connection • System • Resource

  25. Security Example – W/WO TACACS • AAA new-model • AAA authentication login default local user-name admin password cisco • With Tacacs • AAA new-model • AAA authentication login default group tacacs+ local • AAA authentication enable default group tacacs+ enable • AAA authentication exec tacacs+ • Tacacs-server host 10.1.1.254 • Tacacs-server timeout 30 • Tacacs-server key superman • Username admin password cisco • Enable password cisco

More Related